Support Center

CVE-2017-5715: How to update microcode manually?

Last Updated: Jul 26, 2018 03:33PM UTC

Synopsis

To address CVE-2017-5715, also known as Spectre variant 2, it is needed to install new microcode on the hardware nodes. Some microcodes are shipped with the `microcode_ctl` package, some are not. This article helps to understand whether it is needed to download and install new microcode.

How to verify if new microcode is needed?

If all needed updates are installed, Indirect Branch Restricted Speculation and Indirect Branch Prediction Barriers should be enabled:

Note: on Virtuozzo 6 servers, 'debugfs' is not mounted by default. You may need to mount it:

~# mount -t debugfs debugfs /sys/kernel/debug

Is there a supported way to update microcode?

The easiest way to update microcode is to install BIOS update. Contact hardware manufacturer to check whether BIOS update for your server exists and whether it has microcode update that mitigates CVE-2017-5715. If there is no BIOS update, continue reading the article.

NOTE: Virtuozzo does not guarantee that the method described below works on your installations. Please apply it to a test server first.

How to determine the current microcode version and whether it can be updated?

To check what microcode is needed, take signature from `dmesg` and convert it to the format of family-model-stepping: